Securing Zope and Plone Against the Big, Bad Internet
By: Erik Rose and Steve McMahon
About Erik Rose and Steve McMahon
Steve is the maintainer for the Unified Installer and has done considerable work getting Plone/Zope file system and daemon security right. He also wrote the Going Live section of the forthcoming "Practical Plone" book, which covers Windows and Unix installation security.
Erik writes apachepas, AutoMemberMakerPasPlugin, and WebServerAuth, several prominent authorization-stack plugins. He authored the "Secure Zope" page on the WebLion wiki, which covers ports and firewalls, and is project lead for WebLion's hosting initiative, a VMWare/Debian-based scalable hosting farm for Penn State's colleges and departments.
About the session
Common practices for operating Zope and Plone create some unnecessary security exposure. Zope's security framework and recent Plone improvements provide a lot of coverage, but the principle of defense-in-depth requires that we also operate the service itself with the fewest possible privileges and the best possible use of firewalling and authentication tools. We hope to introduce system integrators to the basic security principles of least-privileges and defense-in-depth and show how they apply to filesystem permissions and ownership, ports and firewalls, service startup, and authentication.
This is going to be very nuts and bolts and will give both Unix-workalike and Windows integrators some concrete steps to execute when they get home.
This is a Talk (45 min)